What do you need to hack a NetScaler if you forgot your nsroot password? An external authentication source.

How does NetScaler authentication work?

Well, NetScaler will use any authentication method configured and will check if the username / password pair fits to any authentication method (in order of bindings, lowest number is the highest priority). The last one will always be local authentication. This is done by aaad, the authentication demon.

You may watch this process by opening BSD shell and type cat /tmp/aaad.debug (see here)

If aaad is able to authenticate a user it will stop and return a message send_accept sending accept to kernel for : administrator

It will also return a set of groups if there are any. Next step, done by NetScaler itself, is the one we use to exploit the process:

NetScaler will try to find any object matching the user or one of it’s group memberships. So NetScaler will assume this user to be the same as a local user, if it is able to find a user with the same name.

So we got it. We open Active Directory and add an user called nsroot. We give it a password of our own choice. And we will be able to log on.

Panic!

How to fix this issue?

well, let’s open nsroot and disable external authentication. I don’t know why external authentication is enabled for this user, and I’d consider this to be a massive security issue